On Thu, May 15, 2008 at 05:11:27AM +0200, Goswin von Brederlow wrote:
> The DSA signing uses (secret key + random) in the signature and that
> sum is trivial to compute given the signed message and public key. The
> security of DSA relies solely on the fact that random can't be guessed
> so you can't compute the secret key from the sum.
Actually it uses
(inverse random) * (hash + (secret key) * (number inferred from public key and random)).
> Also if you have 2 messages signed with the same random number you can
> compute the secret key. It is more complicated then this but
> simplified boils down to is computing k given (k + r) * Message1 ==
> Signature1 and (k + r) * Message2 == Signature2.
For the details, since everyone doesn't read Planet Debian:
http://blog.sesse.net/blog/tech/2008-05-14-17-21_some_maths
/* Steinar */
--
Homepage: http://www.sesse.net/